U.S. and Canada Issue Joint Alert on Ransomware

Ransomware has recently become one of the biggest cyber threats to both end users and enterprises, and the United States Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Centre (CCIRC) have now released a joint alert on ransomware threats.

Ransomware is designed to restrict user’s access on an infected computer until a ransom is paid. While ransomware programs are not new, their usage has increased dramatically since the beginning of 2016, with cybercriminals targeting individuals and businesses alike, including healthcare facilities and hospitals worldwide.

Over the past few months, numerous new ransomware families emerged, including Locky, Magic, Petya, PowerWare, or KeRanger, the first fully-functional OS X ransomware, which is based on Linux.Encoder. Ransomware that targets Android exists as well, but, regardless of name or platform, the threat works the same: it holds user’s data for ransom and aims at extorting money from victims.

After infecting a machine and taking control over the user’s data by encrypting personal files, the ransomware displays an on-screen alert, informing the victim on what happened with their files. The note also tells the victim that they would have to pay a ransom to regain access to the files, usually in a virtual currency such as Bitcoin, and usually amounting to $200–$400.

As DHS and CCIRC note in their joint alert, ransomware is spread via phishing emails that contain malicious attachments, or via drive-by downloads, when the user visits an infected website. Exploit kits such as Angler, Nuclear, and Magnitude have been all observed switching to ransomware as their malicious payload over the past several months.

Moreover, malware operators have been focusing on exploiting vulnerable web servers to gain access to enterprise networks, and also use social media for distribution. The joint alert also notes that ransomware sees increased use because it is a very efficient method for generating revenue.

Last year, researchers took a closer look at the CryptoWall 3.0 ransomware and discovered over 4,000 malware samples, 839 command and control (C&C) URLs, five second-tier C&C IP addresses, and over 400,000 infection attempts across 49 campaigns. They estimated that the group behind these attacks infected hundreds of thousands of computers worldwide, causing $325 million in damages.

This year, Locky appears to be the fastest growing ransomware family, infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. The threat is distributed via spam emails with malicious Office documents or compressed attachments that contain macros or JavaScript files.

Another destructive ransomware is Samas, recently discovered to have been used to compromise the networks of healthcare facilities as well. Samas, however, uses penetration testing tools to find vulnerable Web servers and leverages these to infect the organization’s networks.

The joint U.S. and Canada alert also reveals that computers infected with ransomware might also be infected with other malicious applications, which are usually dropped in previous stages of compromise. Effects of ransomware infection include temporary or permanent loss of data, disruption of regular operations, financial losses, and potential harm to an organization’s reputation.

The two agencies also suggest that paying a ransom might not be the solution, as it does not guarantee that encrypted files will be released or that the malware infection has been removed.

To avoid risks associated with such an infection, users and system admins should backup their data and employ a recovery plan, should use application whitelisting to prevent malicious software from running, and keep the operating system, applications and anti-malware software updated at all times.

Users are also advised to avoid clicking on links in emails or enabling macros from email attachments, as this is the manner in which embedded code is executed and the malware enters the computer. Enterprises should consider blocking email messages with attachments from suspicious sources, and limit users’ permissions to install apps.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.